8.2.0

(version majeure)6 Octobre - 115MBThe new version includes experimental modules to place blocks on pages, edit block configuration without leaving the page, create content moderation workflows, and use date ranges. Many smaller authoring, site building, and REST improvements are included as well.Lire la suite: http://drupal.org/project/drupal/releases/8.2.0

8.1.10

26 Septembre - 115MBSecurity

Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical). Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

Cross-site Scripting in http exceptions (critical): An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception

Full config export can be downloaded without administrative permissions (critical): The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

8.1.1

There is not yet per-commit testing for MySQL 5.7.9 or MariaDB 10.1.8 (both released October 2015), but there are no known issues with them. We intend to add per-commit testing on one of these databases in the future.

#2678822 by DamienMcKenna, David_Rothstein, stefan.r, Berdir: Drupal 7.43 / 8.0.4 regression: When an anonymous user submits a form with an un-uploaded file that leads to a validation error, the file is lost on the next correct submission

#2710685 by dimaro, er.pushpinderrana, jhodgdon: inconsistent use of tags in docs for template_preprocess_links()

8.0.6

13 Avril - 115MBKnown Issues

Installs on php-fpm environments may see fatal errors on enabling modules, due to #2572293: Do not rebuild router in kernel.terminate.

There is not yet per-commit testing for MySQL 5.7.9 or MariaDB 10.1.8 (both released October 2015), but there are no known issues with them. We intend to add per-commit testing on one of these databases in the future.

8.0.4

File upload access bypass and denial of service (File module - Drupal 7 and 8 - Moderately Critical): A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved. This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process.

Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7 - Moderately Critical): The XML-RPC system allows a large number of calls to the same method to be made at once, which can be used as an enabling factor in brute force attacks (for example, attempting to determine user passwords by submitting a large number of password variations at once). This vulnerability is mitigated by the fact that you must have enabled a module that provides an XML-RPC method that is vulnerable to brute-forcing. There are no such modules in Drupal 7 core, but Drupal 6 core is vulnerable via the Blog API module. It is additionally mitigated if flood control protection is in place for the method in question.

Open redirect via path manipulation (Base system - Drupal 6, 7 and 8 - Moderately Critical): In Drupal 6 and 7, the current path can be populated with an external URL. This can lead to Open Redirect vulnerabilities. This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL. For Drupal 8 this is a hardening against possible browser flaws handling certain redirect paths.

Form API ignores access restrictions on submit buttons (Form API - Drupal 6 - Critical): An access bypass vulnerability was found that allows input to be submitted, for example using JavaScript, for form button elements that a user is not supposed to have access to because the button was blocked by setting #access to FALSE in the server-side form definition. This vulnerability is mitigated by the fact that the attacker must have access to submit a form that has such buttons defined for it (for example, a form that both administrators and non-administrators can access, but where administrators have additional buttons available to them).

HTTP header injection using line breaks (Base system - Drupal 6 - Moderately Critical): A vulnerability in the drupal_set_header() function allows an HTTP header injection attack to be performed if user-generated content is passed as a header value on sites running PHP versions older than 5.1.2. If the content contains line breaks the user may be able to set arbitrary headers of their own choosing. This vulnerability is mitigated by the fact that most hosts have newer versions of PHP installed, and that it requires a module to be installed on the site that allows user-submitted data to appear in HTTP headers.

Open redirect via double-encoded 'destination' parameter (Base system - Drupal 6 - Moderately Critical): The drupal_goto() function in Drupal 6 improperly decodes the contents of $_REQUEST['destination'] before using it, which allows the function's open redirect protection to be bypassed and allows an attacker to initiate a redirect to an arbitrary external URL. This vulnerability is mitigated by that fact that the attack is not possible for sites running on PHP 5.4.7 or greater.

Reflected file download vulnerability (System module - Drupal 6 and 7 - Moderately Critical): Drupal core has a reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content. This vulnerability is mitigated by the fact that the victim must be a site administrator and that the full version of the attack only works with certain web browsers.

Saving user accounts can sometimes grant the user all roles (User module - Drupal 6 and 7 - Less Critical): Some specific contributed or custom code may call Drupal's user_save() API in a manner different than Drupal core. Depending on the data that has been added to a form or the array prior to saving, this can lead to a user gaining all roles on a site. This issue is mitigated by the fact that it requires contributed or custom code that calls user_save() with an explicit category and code that loads all roles into the array.

Email address can be matched to an account (User module - Drupal 7 and 8 - Less Critical): In certain configurations where a user's email addresses could be used to log in instead of their username, links to "have you forgotten your password" could reveal the username associated with a particular email address, leading to an information disclosure vulnerability. This issue is mitigated by the fact that it requires a contributed module to be installed that permits logging in with an email address, and that it is only relevant on sites where usernames are typically chosen to hide the users' real-life identities.

Session data truncation can lead to unserialization of user provided data (Base system - Drupal 6 - Less Critical): On certain older versions of PHP, user-provided data stored in a Drupal session may be unserialized leading to possible remote code execution. This issue is mitigated by the fact that it requires an unusual set of circumstances to exploit and depends on the particular Drupal code that is running on the site. It is also believed to be mitigated by upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version.

#2606548: \\Drupal\\rest\\Plugin\\views\\row\\DataFieldRow::render should take into account the 'exclude' flag

Known issues

Installs on php-fpm environments may see fatal errors on enabling modules, due to #2572293: Do not rebuild router in kernel.terminate.

There is not yet per-commit testing for MySQL 5.7.9 or MariaDB 10.1.8 (both released October 2015), but there are no known issues with them. We intend to add per-commit testing on one of these databases soon.

8.0.2

#2625258: LocaleConfigManager::updateConfigTranslations() deletes translations if a config object's name happens to match that of a shipped configuration object. Note that no upgrade path is included for this fix (see known issues below).

#2620176: Logo image settings form is broken, breaks per-theme overrides and can result in data loss

Known issues

#2628004: Create an upgrade path to determine if default_config_hash should be added (2625258). This affects all sites created before 8.0.2 that have locale or an additional language installed (or that will install them in the future). Until this issue is fixed, sites will need to use the core Configuration Translation module to create their own translations for default configuration of currently installed modules, rather than automatically downloading them from localize.drupal.org.

Installs on php-fpm environments may see fatal errors on enabling modules, due to #2572293: Do not rebuild router in kernel.terminate.

There is not yet per-commit testing for MySQL 5.7.9 or MariaDB 10.1.8 (both released October 2015), but there are no known issues with them. We intend to add per-commit testing on one of these databases soon.

Installs on php-fpm environments may see fatal errors on enabling modules, due to #2572293: Do not rebuild router in kernel.terminate.

While PHP 7 does not yet have a stable release, Drupal 8.0.x is now tested on every commit with PHP 5.5, 5.6 and 7 with a 100% pass rate, so should support PHP 7’s first stable release once it is available (expected tomorrow December 3rd).

There is not yet per-commit testing for MySQL 5.7.9 or MariaDB 10.1.8 (both released October 2015), but a minor incompatibility issue was fixed since RC4, and there are no known issues with them otherwise. We intend to add per-commit testing on one of these databases soon.

8.0.0-rc3

(version beta)5 Novembre 2015 - 115MBThis release is a beta version. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

This release candidate includes numerous fixes to regressions in CKeditor since beta 15.

Known issues

We are confident that our code is stable enough for wider testing by site owners, developers, and end users. However, there are currently 6 known critical issues with this release candidate. We expect to identify and resolve additional critical issues as the release candidate is tested more widely.

8.0.0-rc1

(version beta)12 Octobre 2015 - 115MBThis release is a beta version. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

We are confident that our code is stable enough for wider testing by site owners, developers, and end users. There are however still known issues with Drupal 8.0.x, including major bugs. Help resolve these issues by testing Drupal 8 and searching for existing bug reports and adding more information to help resolve those bugs. If your suspected bug hasn't been reported yet, submit a bug report.

There is a known issue with response cache headers sometimes exceeding hosting configuration limits that may cause some pages to not be viewable on some hosting providers. If you run into this, see that issue and its related issues for details.

#2575421 by Cottser, mdrummond, lauriii, davidhernandez, LewisNyman, catch, alexpott, joelpittet, webchick, Bojhan, emma.maria, mortendk: Add a Stable base theme to core and make it the default if a base theme is not specified

8.0.0-beta14

(version beta)4 Août 2015 - 95MBThis release is a beta version. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

Known issues

Obvious user facing bugs: If you are testing the beta, be aware that there are obvious site visitor and site builder-facing bug.

There are still over 20 critical issues with this beta release that need to be resolved before we will create a release candidate.

#2501481 by Cottser, davidhernandez, kfriend, alimac, YesCT, lauriii, tim.plunkett, cilefen, lbainbridge, porchlight: form_select_options() is a theme function in disguise and should not use SafeMarkup::set

#2513396 by Cottser, larowlan, HelloNewman, webchick, crowdg, Bojhan, eliza411, ivanstegic, LewisNyman, lunk_rat, nickrosencrans, stpaultim: There is no link, anywhere, to a contact form once a user creates it

8.0.0-beta12

(version beta)30 Juin 2015 - 95MBThis release is a beta version. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

Known issues

Obvious user facing bugs: If you are testing the beta, be aware that there are obvious site visitor and site builder-facing bug.

There are still over 20 critical issues with this beta release that need to be resolved before we will create a release candidate.

Changes since 8.0.0-beta11

#2512452 by dawehner, pwolanin, alexpott, fnqgpc: Confirm form cancel button can lead to external domain

#2456521 by pjonckiere, mpdonadio, jhodgdon, rteijeiro, David_Rothstein, xjm: Add DateFormatter::formatDiff() as a non-buggy alternative to DateFormatter::formatInterval() when the start and end of the interval are known

#2346261 by DuaelFr, kmoll, Berdir: Deprecate entity_create() in favor of a ::create($values) or \Drupal::entityManager()->getStorage($entity_type)->create($values)

#2279105 by mgifford, nidaismailshah, thedavidmeister, amitgoyal, rpayanm, ameenkhan07, rakhimandhania, jhodgdon: Remove as many "..." and ellipsis characters from the codebase as possible without altering the meaning of text

8.0.0-beta11

(version beta)28 Mai 2015 - 95MBThis release is a beta version. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

Known issues

Obvious user facing bugs: If you are testing the beta, be aware that there are obvious site visitor and site builder-facing bug.

There are still over 20 critical issues with this beta release that need to be resolved before we will create a release candidate.

#2461845 by Fabianx, Berdir, larowlan, David_Rothstein, Gábor Hojtsy: Private files that are no longer attached to an entity should not suddenly become accessible to people who couldn't see them before

8.0.0-beta10

(version beta)8 Mai 2015 - 95MBThis release is a beta version. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

Known issues

Obvious user facing bugs: If you are testing the beta, be aware that there are obvious site visitor and site builder-facing bug.

There are still over 40 critical issues with this beta release that need to be resolved before we will create a release candidate.

Changes since 8.0.0-beta9:

#2479593 by jhedstrom, zaporylie: Use User::getAnonymousUser() in DblogController::eventDetails()

8.0.0-beta9

(version beta)27 Mars 2015 - 95MBThis release is a beta version. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

Known issues

Obvious user facing bugs: If you are testing the beta, be aware that there are obvious site visitor and site builder-facing bug.

There are still over 50 critical issues with this beta release that need to be resolved before we will create a release candidate.

Changes since 8.0.0-beta8

Revert "Issue #2457653 by Gábor Hojtsy: System.site langcode is both used as a file language code and a site language code"

#2458925 by alexpott: Screen is black and completely unreadable in Configure page after install on standard profile

#2457653 by Gábor Hojtsy: System.site langcode is both used as a file language code and a site language code

#2411689 by alexpott: Use a MemoryBackend in StorageComparer so that configuration import validators don't have to reread data from disk or the db

7.41

SA-CORE-2015-004: The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

7.40

15 Octobre 2015 - 24MBMaintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major new functionality); major, non-backwards-compatible new features are only being added to the forthcoming Drupal 8.0 release.

Upgrading .htaccess to incorporate this change is strongly recommended:

A change to set the X-Content-Type-Options header to "nosniff" when possible, to prevent certain web browsers from picking an unsafe MIME type (see #462950).

Upgrading settings.php to incorporate the following changes is recommended but not required:

A change to exclude private files from the "404_fast_paths" behavior. This is useful primarily for sites which call drupal_fast_404() directly from settings.php (see #2455057).

A documentation change to make it easier for development sites to enable the 'theme_debug' feature via settings.php (see #2538640).

Major changes

Added an optional 'project:' prefix that can be added to dependencies in a module's .info file to indicate which project the dependency resides in (API addition: https://www.drupal.org/node/2299747).

Prevented the database API from executing multiple queries at once on MySQL, if the site's PHP version is new enough to do so. This is a secondary defense against SQL injection (API change: https://www.drupal.org/node/2463973).

Changed one-time login link failure messages to be displayed as errors or warnings as appropriate, rather than as regular status messages (minor UI change and data structure change).

Changed the default settings.php configuration to exclude private files from the "404_fast_paths" behavior.

Changed the page that displays filter tips for a particular text format, for example filter/tips/full_html, to return "page not found" or "access denied" if the format does not exist or the user does not have access to it. This change adds a new menu item to the Filter module's hook_menu() entry (minor data structure change).

Added a new hook, hook_block_cid_parts_alter(), to allow modules to alter the cache keys used for caching a particular block.

Made drupal_set_message() display and return messages when "0" is passed in as the message to set.

The "worker callback" provided in hook_cron_queue_info() and the "finished" callback specified during batch processing can now be any PHP callable instead of just functions.

Prevented drupal_set_time_limit() from decreasing the time limit in the case where the PHP maximum execution time is already unlimited.

Prevented malformed theme .info files (without a "name" key) from causing exceptions during menu rebuilds. If an .info file without a "name" key is found in a module or theme directory, Drupal will now use the module or theme's machine name as the display name instead.

Made the format column in the {date_format_locale} database table case-sensitive, to match the equivalent column in the {date_formats} table.

Fixed a bug in the Statistics module that caused JavaScript files attached to a node while it is being viewed to be omitted from the page.

Fixed various bugs that occurred after hooks were invoked early in the Drupal bootstrap and that caused module_implements() and drupal_alter() to cache an incomplete set of hook implementations for later use.

Set the X-Content-Type-Options header to "nosniff" when possible, to prevent certain web browsers from picking an unsafe MIME type.

Fixed a bug in the Drupal 6 to Drupal 7 upgrade path which caused the upgrade to fail when there were multiple file records pointing to the same file.

7.39

Cross-site Scripting - Ajax system - Drupal 7: A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element. This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML. Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141.

Cross-site Scripting - Autocomplete system - Drupal 6 and 7: A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized. This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.

SQL Injection - Database API - Drupal 7: A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments. This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.

Cross-site Request Forgery - Form API - Drupal 6 and 7: A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account. This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.

Information Disclosure in Menu Links - Access system - Drupal 6 and 7: Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.

Major changes

The Ajax system now validates URLs before making an Ajax request. Existing code which uses the Drupal Ajax API in any of the standard ways should continue to work after this update. In the event you have unusual Ajax code which does not work with Drupal 7.39, you can have your code manually validate the URL in one of two ways. Either add the URL to the "urlIsAjaxTrusted" JavaScript setting (see ajax_pre_render_element() for an example) or call ajax_set_verification_header() in the Ajax callback function to mark the current URL as trusted. Only do this for URLs that you actually trust; Ajax requests in Drupal should never be made to untrusted URLs.

For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs. There is a new form API #process function on autocomplete-enabled text fields that is required for the autocomplete functionality to work; custom and contributed modules should ensure that they are not overriding this #process function accidentally when altering text fields on forms (use element_info_property() for help with that). Part of the security fix also includes changes to theme_textfield(); it is recommended that sites which override this theme function make those changes as well (see the theme_textfield section of this diff for details).

When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor.

7.38

CVE-2015-3234 Impersonation (OpenID module - Drupal 6 and 7 - Critical): A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).

CVE-2015-3232 Open redirect (Field UI module - Drupal 7 - Less critical): The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected. Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed CCK module: SA-CONTRIB-2015-126

CVE-2015-3233 Open redirect (Overlay module - Drupal 7 - Less critical): The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

CVE-2015-3231 Information disclosure (Render cache system - Drupal 7 - Less critical): On sites utilizing Drupal 7's render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users. This vulnerability is mitigated by the fact that render caching is not used in Drupal 7 core itself (it requires custom code or the contributed Render Cache module to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with Drupal core).

7.37

Fixed a regression in Drupal 7.36 which caused certain kinds of content types to become disabled if they were defined by a no-longer-enabled module.

Removed a confusing description regarding automatic time zone detection from the user account form (minor UI and data structure change).

Allowed custom HTML tags with a dash in the name to pass through filter_xss() when specified in the list of allowed tags.

Allowed hook_field_schema() implementations to specify indexes for fields based on a fixed-length column prefix (rather than the entire column), as was already allowed in hook_schema() implementations.

7.36

Prevented the form API from allowing arrays to be submitted for various form elements, such as textfields, textareas, and password fields (API change: https://www.drupal.org/node/2462723).

Added a 'javascript_always_use_jquery' variable which can be set to FALSE by sites that may not need jQuery loaded on all pages, and a 'requires_jquery' option to drupal_add_js() which modules can set to FALSE when adding JavaScript files that have no dependency on jQuery (API addition: https://www.drupal.org/node/2462717).

Added a user_has_role() function to check whether a user has a particular role (API addition: https://www.drupal.org/node/2462411).

Fixed a bug that caused database query tags not to be added to search-related database queries under many circumstances, and which prevented the corresponding hook_query_TAG_alter() implementations from being called.

Changed permission descriptions throughout Drupal core to consistently link to relevant administrative pages, regardless of whether the user viewing the Permissions page can view the page being linked to (minor UI change).

Fixed the drupal_add_region_content() function so that it actually adds content to the page.

Added an 'image_suppress_itok_output' variable to allow sites already using the existing 'image_allow_insecure_derivatives' variable to also prevent security tokens from appearing in image derivative URLs.

#2380053 by klausi, pwolanin, tsphethean, sun, David_Rothstein: Posting an array as value of a form element is allowed even when a string is expected (and bypasses #maxlength constraints) - first step: text fields

#2380143 by Lendude, pwolanin: Contact forms set an incorrect name and e-mail address on the global user object after the form is submitted.

7.35

Access bypass (Password reset URLs - Drupal 6 and 7): Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password. In Drupal 7, this vulnerability is mitigated by the fact that it can only be exploited on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. In Drupal 6, it can additionally be exploited on sites where administrators have created multiple new user accounts with the same password via the administrative interface, or where accounts have been imported or programmatically edited in a way that results in the password hash in the database being empty for at least one user account. Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value.

Open redirect (Several vectors including the "destination" URL parameter - Drupal 6 and 7): Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities. This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack. However, all confirmation forms built using Drupal 7's form API are vulnerable via the Cancel action that appears at the bottom of the form, and some Drupal 6 confirmation forms are vulnerable too.

7.34

Session hijacking (Drupal 6 and 7): A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode"), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

Denial of service (Drupal 7 only): Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). This vulnerability can be exploited by anonymous users.

7.33

Added an entity_view_mode_prepare() API function to allow entity-defining modules to properly invoke hook_entity_view_mode_alter(), and used it throughout Drupal core to fix bugs with the invocation of that hook (API change: https://www.drupal.org/node/2369141).

Added a "theme_hook_original" variable to templates and theme functions and an optional sitewide theme debug mode, to provide contextual information in the page's HTML to theme developers. The theme debug mode is based on the one used with Twig in Drupal 8 and can be accessed by setting the "theme_debug" variable to TRUE (API addition).

Began storing the file modification time of each module and theme in the {system} database table so that contributed modules can use it to identify recently changed modules and themes (minor data structure change to the return value of system_get_info() and other related functions).

Added a "Did you mean?" feature to the run-tests.sh script for running automated tests from the command line, to help developers who are attempting to run a particular test class or group.

Changed the date format used in various HTTP headers output by Drupal core from RFC 1123 format to RFC 7231 format.

Added a "block_cache_bypass_node_grants" variable to allow sites which have node access modules enabled to use the block cache if desired (API addition).

Made image derivative generation HTTP requests return a 404 error (rather than a 500 error) when the source image does not exist.

Fixed a bug which caused user pictures to be removed from the user object after saving, and resulted in data loss if the user account was subsequently re-saved.

Fixed a bug in which field_has_data() did not return TRUE for fields that only had data in older entity revisions, leading to loss of the field's data when the field configuration was edited.

Fixed a bug which caused the Ajax progress throbber to appear misaligned in many situatons (minor styling change).

Prevented the Bartik theme from lower-casing the "Permalink" link on comments, for improved multilingual support (minor UI change).

Added a "preferred_menu_links" tag to the database query that is used by menu_link_get_preferred() to find the preferred menu link for a given path, to make it easier to alter.

Removed the Field module's field_modules_uninstalled() function, since it did not do anything when it was invoked.

Security improvement: Made the database API's orderBy() method sanitize the sort direction ("ASC" or "DESC") for queries built with db_select(), so that calling code does not have to.

Changed the RDF module to consistently output RDF metadata for nodes and comments near where the node is rendered in the HTML (minor markup and data structure change).

Added an HTML class to RDFa metatags throughout Drupal to prevent them from accidentally affecting the site appearance (minor markup change).

Fixed a bug in the Unicode requirements check which prevented installing Drupal on PHP 5.6.

Fixed a bug which caused drupal_get_bootstrap_phase() to abort the bootstrap when called early in the page request.

Renamed the "Search result" view mode to "Search result highlighting input" to better reflect how it is used (UI change).

Improved database queries generated by EntityFieldQuery in the case where delta or language condition groups are used, to reduce the number of INNER JOINs (this is a minor data structure change affecting code which implements hook_query_alter() on these queries).

7.32

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

7.31

As of this release, the XML-RPC system in Drupal core will ignore information in declarations contained within XML-RPC messages (for example, XML version or character encoding information). This is not expected to matter for the vast majority of use cases.

The XML-RPC system and OpenID XRDS parser will also reject messages that contain over 30,000 XML tags within them. This limit is not expected to matter for the vast majority of use cases. If you need to process an XML-RPC message that is larger than that, you can change the limit by setting the "xmlrpc_message_maximum_tag_count" variable to a higher value. Do not set the value higher than you need, since allowing too many XML tags per XML-RPC message increases your site's vulnerability to denial of service attacks. The OpenID XRDS parser has a similar variable ("openid_xrds_maximum_tag_count") which can be used in a similar way.

7.30

24 Juillet 2014 - 24MBMajor changes:

Fixed a regression introduced in Drupal 7.29 that caused files or images attached to taxonomy terms to be deleted when the taxonomy term was edited and resaved (and other related bugs with contributed and custom modules; see this issue or the Drupal 7.29 release notes for more details).

Added a warning on the permissions page to recommend restricting access to the "View site reports" permission to trusted administrators. See DRUPAL-PSA-2014-002.

All changes:

#2305017 by David_Rothstein, pwolanin | beech: Fixed Regression: Files or images attached to certain core and non-core entities are lost when the entity is edited and saved.

7.28

8 Mai 2014 - 24MBThis release includes bug fixes and small API/feature improvements only (no major new functionality or security fixes are included). Significant new features are only being added to the forthcoming Drupal 8.0 release.

Major changes:

Fixed a regression introduced in Drupal 7.27 that caused JavaScript to break on older browsers (such as Internet Explorer 8 and earlier) when Ajax was used.

Increased the timeout used by the Update Manager module when it fetches data from drupal.org (from 5 seconds to 30 seconds), to work around a problem which causes incomplete information about security updates to be presented to site administrators. This fix may lead to a performance slowdown on the Update Manager administration pages, when installing Drupal distributions, and (for sites that use the automated cron feature) on occasional page loads by site visitors.

Fixed the behavior of the token system's "[node:summary]" token when the body field does not have a manual summary.

Changed the behavior of db_query_temporary() so that it works on SELECT queries even when they have leading comments/whitespace. A side effect of this fix is that db_query_temporary() will now fail with an error if it is ever used on non-SELECT queries.

Added a "node_admin_filter" tag to the database query used to build the list of nodes on the content administration page, to make it easier to alter.

Made the cron queue system log any exceptions that are thrown while an item in the queue is being processed, rather than stopping the entire PHP request.

Improved screen reader support by adding an aria-live HTML attribute to file upload fields when there is an error uploading the file (minor markup change).

Made the pager on the Tracker module listing pages show the same number of items as other pagers throughout Drupal core (minor UI change).

Fixed a bug which caused caches not to be properly cleared when a file entity was saved or deleted.

Added several missing countries to the default list returned by country_get_list() (string change).

Replaced the term "weight" with "influence" in the content ranking settings for search, and added help text for administrators (string change).

Fixed untranslatable text strings in the administrative interface for the "Crop" effect provided by the Image module (minor string change).

Fixed a bug in the Taxonomy module update function introduced in Drupal 7.26 that caused memory and CPU problems on sites with very large numbers of unpublished nodes.

7.27

(version de sécurité)16 Avril 2014 - 24MBModerately critical security release of the Drupal 7 series. A vulnerability was found in the handling of temporary storage of form states which could result in form states leaking between anonymous users (SA-CORE-2014-002).

Major changes:

Modules which use custom Ajax form page callbacks require updates for Drupal 7.27. This is expected to affect several popular modules such as Field Collection and Hierarchical Select, although only in cases where the form widgets provided by those modules are exposed to anonymous users.

Modules which provide alternative page cache implementations require updates for Drupal 6.31 and Drupal 7.27 This is expected to affect modules such as Boost and Authcache.

form_set_cache() now validates the passed-in form build ID This is not expected to affect most sites.

7.26

(version de sécurité)15 Janvier 2014 - 24MBCritical security release of the Drupal 7 series. A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

Major changes:

The database schema of the OpenID module's "openid_association" table has changed in this release (the "idp_endpoint_uri" column is now the primary key, rather than the "assoc_handle" column). During the update all existing entries in this table will be removed, but the table only stores temporary data and therefore the change is not expected to affect site operation or OpenID logins.

A new, optional $form_state['programmed_bypass_access_check'] element has been added to the form API, for use with drupal_form_submit(). If this is provided and set to FALSE, drupal_form_submit() will perform the normal form access checks against the current user while submitting the form, rather than bypassing them like it normally does for programmatic form submissions. Any code which passes untrusted data (provided by the current user) to drupal_form_submit() is recommended to use this parameter for security reasons.

7.25

2 Janvier 2014 - 24MBMaintenance release of the Drupal 7 series. Includes bugfixes and small API/feature improvements only (no major new functionality). No security fixes are included in this release.

Added an optional feature to the Statistics module to allow node views to be tracked by Ajax requests rather than during the server-side generation of the page. This allows the node counter to work on sites that use external page caches (string change and new administrative option: https://drupal.org/node/2164069).

Fixed a bug in node_save() which prevented the saved node from being updated in hook_node_insert() and other similar hooks.

Added a meta tag to install.php to prevent it from being indexed by search engines even when Drupal is installed in a subfolder (minor markup change).

Fixed a bug in the database API that caused frequent deadlock errors when running merge queries on some servers.

Performance improvement: Prevented block rehashing from writing blocks to the database on every cache clear and cron run when the blocks have not changed. This fix results in an extra 'saved' key which is added and set to TRUE for each block returned by _block_rehash() that actually is saved to the database (data structure change).

Added an optional 'skip on cron' parameter to hook_cron_queue_info() to allow queues to avoid being automatically processed on cron runs (API addition).

Fixed a bug which caused hook_block_view_MODULE_DELTA_alter() to never be invoked if the block delta had a hyphen in it. To implement the hook when the block delta has a hyphen, modules should now replace hyphens with underscores when constructing the function name for the hook implementation.

Fixed a bug which caused cached pages to sometimes be sent to the browser with incorrect compression. The fix adds a new 'page_compressed' key to the $cache->data array returned by drupal_page_get_cache() (minor data structure change).

Fixed broken tests on PHP 5.5.

Made the File and Image modules more robust when saving entities that have deleted files attached. The code in file_field_presave() will now remove the record of the deleted file from the entity before saving (minor data structure change).

Standardized menu callback functions throughout Drupal core to return MENU_NOT_FOUND and MENU_ACCESS_DENIED rather than printing their own "page not found" or "access denied" pages (minor API change in the return value of these functions under some circumstances).

Fixed a bug in which caches were not properly cleared when a node was deleted via the administrative interface.

Changed the Bartik theme to render content contained in pre, code and similar tags in a larger font size, so it is easier to read.

Fixed a bug in the Search module that caused exceptions to be thrown during searches if the server was not configured to represent decimal points as a period.

Fixed a regression in the Image module that made image_style_url() not work when a relative path (rather than a complete file URI) was passed to it.

Added a link to the drupal.org documentation page for cron to the Cron settings page (string change).

Added a 'drupal_anonymous_user_object' variable to allow the anonymous user object returned by drupal_anonymous_user() to be overridden with a classed object (API addition).

Changed the database API to allow inserts based on a SELECT * query to work correctly.

Changed the database schema of the {file_managed} table to allow Drupal to manage files larger than 4 GB.

Changed the File module's hook_field_load() implementation to prevent file entity properties which have the same name as file or image field properties from overwriting the field properties (minor API change).

7.24

(version de sécurité)20 Novembre 2013 - 24MBThis is a security release only fixing two issues:

This release contains a small change to the form API. It will have no effect on standard form API usage, but could affect code which does highly custom form processing; in particular, any code which calls functions like drupal_process_form() or drupal_validate_form() to process a form directly should be aware that when the form is validated, validation will now stop immediately in the case where the form's cross-site request forgery (CSRF) token fails validation. Previously all subsequent validation handlers would still be executed in this case.

There is a new drupal_random_key() API function. Its usage is recommended for any code that needs to obtain a permanent, randomly-generated string which is safe to insert in HTML pages and URLs.

7.23

8 Août 2013 - 24MBMaintenance release of the Drupal 7 series. Includes bugfixes and small API/feature improvements only (no major new functionality). No security fixes are included in this release.

Added human-readable labels to image styles, in addition to the existing machine-readable name (API change: https://drupal.org/node/2058503).

Fixed the default ordering of CSS files for sites using right-to-left languages, to consistently place the right-to-left override file immediately after the CSS it is overriding (API change: https://drupal.org/node/2058463).

Fixed a fatal error on PostgreSQL databases when updating the Taxonomy module from Drupal 6 to Drupal 7.

Added a drupal_check_memory_limit() API function to allow the memory limit to be checked consistently (API addition).

Changed the default web.config file for IIS servers to allow favicon.ico files which are present in the filesystem to be accessed.

Fixed inconsistent support for the 'tel' protocol in Drupal's URL filtering functions.

Performance improvement: Allowed all hooks to be included in the module_implements() cache, even those that are only invoked on HTTP POST requests.

Made the database system replace truncate queries with delete queries when inside a transaction, to fix issues with PostgreSQL and other databases.

Fixed a bug which prevented cached image derivatives from being flushed for private files and other non-default file schemes.

Fixed drupal_render() to always return an empty string when there is no output, rather than sometimes returning NULL (minor API change).

Added protection to cache_clear_all() to ensure that non-cache tables cannot be truncated (API addition: a new isValidBin() method has been added to the default database cache implementation).

Changed the default .htaccess file to support HTTP authorization in CGI environments.

Changed the password reset form to pre-fill the username when requested via a URL query parameter, and used this in the error message that appears after a failed login attempt (minor data structure and behavior change).

Fixed broken support for foreign keys in the field API.

Fixed "No active batch" error when a user cancels their own account.

Added a description to the "access content overview" permission on the permissions page (string change).

7.22

4 Avril 2013 - 24MBMaintenance release of the Drupal 7 series. Includes bugfixes and small API/feature improvements only (no major new functionality); significant new features are only being added to the forthcoming Drupal 8.0 release. No security fixes are included in this release.

Allowed the drupal_http_request() function to be overridden so that additional HTTP request capabilities can be added by contributed modules.

Changed the Simpletest module to allow PSR-0 test classes to be used in Drupal 7.

Removed an unnecessary "Content-Disposition" header from private file downloads; it prevented many private files from being viewed inline in a web browser.

Changed various field API functions to allow them to optionally act on a single field within an entity (API addition: http://drupal.org/node/1825844).

Fixed a bug which prevented Drupal's file transfer functionality from working on some PHP 5.4 systems.

Fixed incorrect log message when theme() is called for a theme hook that does not exist (minor string change).

Fixed Drupal's token-replacement system to allow spaces in the token value.

Changed the default behavior after a user creates a node they do not have access to view. The user will now be redirected to the front page rather than an access denied page.

Fixed a bug which prevented empty HTTP headers (such as "0") from being set. (Minor behavior change: Callers of drupal_add_http_header() must now set FALSE explicitly to prevent a header from being sent at all; this was already indicated in the function's documentation.)

Fixed OpenID errors when more than one module implements hook_openid(). The behavior is now changed so that if more than one module tries to set the same parameter, the last module's change takes effect.

Fixed a serious documentation bug: The $name variable in the taxonomy-term.tpl.php theme template was incorrectly documented as being sanitized when in fact it is not.

Fixed a bug which prevented Drupal 6 to Drupal 7 upgrades on sites which had duplicate permission names in the User module's database tables.

Added an empty "datatype" attribute to taxonomy term and username links to make the RDFa markup upward compatible with RDFa 1.1 (minor markup addition).

Fixed a bug which caused the denial-of-service protection added in Drupal 7.20 to break certain valid image URLs that had an extra slash in them.

Fixed a bug with update queries in the SQLite database driver that prevented Drupal from being installed with SQLite on PHP 5.4.

Refactored the Field module's caching behavior to obtain large improvements in memory usage for sites with many fields and instances (API addition: http://drupal.org/node/1915646).

Fixed entity argument not being passed to implementations of hook_file_download_access_alter(). The fix adds an additional context parameter that can be passed when calling drupal_alter() for any hook (API change: http://drupal.org/node/1882722).